Re: [MediaWiki-l] Embedded login and account creation

2015-10-01 Thread Chris Steipp
On Thu, Oct 1, 2015 at 2:12 AM, Ad Strack van Schijndel < ad.strackvanschijn...@gmail.com> wrote: > Hi Chris, > > Thanks for your answer! One thing I don't understand is about the XFO > headers. > Do we have to add them or is it a condition that we don't have them. > You should add them.

Re: [MediaWiki-l] Embedded login and account creation

2015-10-01 Thread Ad Strack van Schijndel
Hi Chris, Thanks for your answer! One thing I don't understand is about the XFO headers. Do we have to add them or is it a condition that we don't have them. Ad Op 30 sep. 2015, om 17:48 heeft Chris Steipp het volgende geschreven: Hi Ad, There are some security

Re: [MediaWiki-l] Embedded login and account creation

2015-09-30 Thread Jurij Byrda
Visai nemoku jusu kalbos prasau siusti laiskus Lietuviu kalboja! 2015 rug. 30 20:22 "Chris Steipp" rašė: > There is a slight difference in the ux if you're using pushState vs > actually going to the page, so I think it would be noticed. But agree, I > should probably have

Re: [MediaWiki-l] Embedded login and account creation

2015-09-30 Thread Chris Steipp
There is a slight difference in the ux if you're using pushState vs actually going to the page, so I think it would be noticed. But agree, I should probably have said "make it more difficult". On Wed, Sep 30, 2015 at 9:50 AM, Daniel Friesen wrote: > Bug? There is

Re: [MediaWiki-l] Embedded login and account creation

2015-09-30 Thread Daniel Friesen
On 2015-09-30 8:48 AM, Chris Steipp wrote: > * We disable site and user .js on Special:UserLogin, so a malicious admin > can't add password sniffing javascript to the login page Note that you can make use of pushState to render this protection moot for anyone who clicks the login link instead of

Re: [MediaWiki-l] Embedded login and account creation

2015-09-30 Thread Chris Steipp
Hi Ad, There are some security considerations if you're going to do that: * We disable site and user .js on Special:UserLogin, so a malicious admin can't add password sniffing javascript to the login page * We disable framing the page to prevent various redressing attacks * If your site is mixed

Re: [MediaWiki-l] Embedded login and account creation

2015-09-30 Thread John
Can you provide any documentation on the details of this exploit? On Wed, Sep 30, 2015 at 12:50 PM, Daniel Friesen wrote: > Bug? There is nothing that can be fixed. > > You just have to accept that as long as the login page is on the same > domain as site scripts,

[MediaWiki-l] Embedded login and account creation

2015-09-29 Thread Ad Strack van Schijndel
Hi, Is there a way to embed the login and/or the account creation on normal pages? I would like to have the possibility to login in a sidebar as long as the user is anonymous. So that there are no extra clicks to login. I'm sure if there isn't, there is a very good reason for that and I would